Access your Pro+ Content below.

Layer8: Applying numbers to risk management

Risk management brings you closer to the business, but you must understand that risk is not a numbers game. When I started in IT the late 1980s, the discipline of protecting computers was unambiguously referred to as computer security. In the mid '90s, we had heated discussions over the appropriateness of the term information security. Just a few years ago, most of the vendors that had earlier touted their wares as infosecurity products decided to reposition themselves as being in the compliance business. At about that same time, I caught flak for using this column to suggest security was a risk management function. Now the term du jour is GRC, an unpronounceable acronym standing for governance, risk and compliance. Terminology inflation represents a positive trend in this case. It is indicative of a legitimate broadening of perspective and improved alignment with the business. Security is a specialized task, a narrow focus on a specific set of vulnerabilities that can potentially be exploited by humans. In practice, most ...